NSA Warns of Risks of Generic Certificates, Proposes Mitigation Measures


NSA Provides Mitigation Measures Against Generic Certificate Risks

The United States National Security Agency (NSA) warns of the dangers of using wide-scope certificates to authenticate multiple servers in an organization.

In a document released last week, the agency provides mitigating measures against the risks associated with the use of generic certificates. These include a recently disclosed ALPACA technique that could be used for various traffic redirection attacks.

ALPACA can bite

The agency refers to the dangers posed by generic or multi-domain digital certificates that validate the identity of the server to allow a reliable and secure connection via the TLS (Transport Layer Security) cryptographic protocol.

In a presentation two months ago, researchers showed that TLS servers running different protocols but with compatible certificates (e.g., wildcard, multi-domain) could be exploited via a Layer Protocol Content Confusion attack. application.

They named the technique ALPACA, short for Application Layer Protocols Allowing Cross-Protocol Attack, noting that a malicious actor meeting certain conditions could at least steal cookies or perform cross-site scripting attacks.

A generic digital certificate can be used with multiple subdomains on the same domain, so it can span multiple servers (e.g. email, FTP, applications), while a multi-domain certificate is used for multiple domains on one only IP address.

NSA says [PDF] that “ALPACA is a complex class of exploitation techniques which can take many forms” and that a realistic scenario for such an attack would require the following:

  • a target web application that uses TLS
  • another service / application (usually not a web server) that presents a valid TLS certificate with a subject name that would be valid for the targeted web application, for example when wildcard certificates are too broad in scope
  • a way for the malicious actor to redirect victim’s network traffic destined for the target web application to the second service (possibly obtained through Domain Name System (DNS) poisoning or compromise man-in-the-middle)
  • an HTTP request which is accepted by the second service which results in at least part of the request being returned to the sender

A threat actor meeting these “relatively uncommon conditions” would be able to perform at least phishing, watering, malicious advertising, or man-in-the-middle intervention (MitM) attacks.

Using the ALPACA technique, an adversary could trick the victim’s web browser to trust and execute responses reflected by a malicious service that are signed with the correct certificate.

This opens the door to the theft of session cookies, private user data, and the execution of arbitrary code in the context of a vulnerable server.

Compromise a secure web application using the ALPACA technique

  1. The malicious actor tricks the user into visiting a crafted URL (phishing, malvertising, etc.)
  2. User sends URL request to app.example.com
  3. Using one of the many network manipulation techniques, the user’s request is redirected by the malicious actor to service.example.com instead.
  4. The non-HTTP.example.com service (for example, a file transfer protocol [FTP], Simple Mail Transfer Protocol [SMTP], or other non-web server) attempts to process the HTTP request causing an error that reflects malicious content in the server response
  5. The response from the server is signed by the certificate * .example.com
  6. The user’s browser receives the response to their request. Because the request was to app.example.com and the response is authenticated by * .example.com, the browser trusts the response and executes it in the context of app.example.com. This gives the malicious script access to user data and cookies for app.example.com in the browser

The NSA is also reminding organizations of the role that wildcard certificates play in a trusted architecture, as they “can be used to represent any system within its scope.”

For this reason, they must protect the private key of a wildcard certificate and keep it on a well-maintained server to avoid the risk of an attacker obtaining it by compromising a poorly secured machine.

Switch to the secure server after hacking an insecure machine in the same certificate scope

Mitigate the risks associated with generic certificates

The NSA recommends that organizations ensure that generic certificates are used responsibly and that their scope within the organization is understood.

Organizations should identify where the private keys for these certificates are stored and use the level of security required by all applications within the scope of the certificates.

Using an Application Gateway or Web Application Firewall (WAF) in front of servers, not HTTP included, is another agency recommendation.

Encrypted DNS and DNS Security Extensions Validation (DNSSEC) to prevent DNS redirection that could put target users in a malicious location.

The NSA also recommends enabling Application Layer Protocol Negotiation (ALPN) if possible and keeping browsers up to date with their latest version.


Please enter your comment!
Please enter your name here